Author
Topic: [SOLVED] DMZ setup (Read 9970 times)

I have been testing Opnsense to replace a couple of Draytek 3300 Wan routers. I do like the system after I got used to things :-)

One thing I cannot see an easy answer for is how to set up a simple DMZ for my server. In the Draytek it is very easy - NAT / DMZ host and add an IP address, but I can't see an 'easy' setting for it in Opnsense - I checked the Wiki and had a search around but couldn't see any answers.

The server itself is viewable both internally from the LAN and externally from the WAN. Maybe I should harden that up a bit and just do port forwarding for the required ports ?

Currently installed for testing on a Supermicro Atom (X7SPE-HF) box with 2 network ports plus I am using a Edimax EU-4208 USB ethernet as a 3rd port (which amazingly it found), whilst I wait for a dual port NIC to arrive.

Assigned all the ports and all working as expected as far as I can see.

What I was trying to do was create a DMZ for one internal IP address from one WAN port.

This is very easy on hardware based routers like the Drayteks.

Yes I can see I could do port forwarding, but not an easy way to do a DMZ so guess there must be a different approach to this.

Also I liked your hint, that this info is whatv is neede on the documentation wiki handbook. And I will do the things outlined below the next days, probably as early as Saturday night or Sunday. Thank you for the input

---Now! Back to your problem!Yes, I admit, the OPNsense GUI is impressive with all the menu items and sub-sub-menus - at first. It inherits this structure from its predecessor pfSense, though(do not blame them, it is just a huge list of features to configure).

Off cause it is more difficult to sipp through and to implement, what one simply wants the shiny set-up OPNsense machine to do!

We are aware of this and are going to establish a free & open documentation, and our developers are working hard with an enormous dedication -step by step- to transition this knoted legacy issue to a more maintainable structured, and more secure front- and back-end, according to a defined MCV model (you can look it up at [https://wiki.opnsense.org/index.php/Architecture]).

I am not completely sure, what you intend to do. However, the cue words DMZ and port forward give me a hint. You might want one of the three things, that come to mind:

Conclusion: Now all TCP/IP traffic from a specified exterenal source (IP, subnet) will be forwarded to the specified internat IP address or subnet - this is one of the many deployments of OPNsenses Virtual IP feature.

..2) Static route This is for a solution, if you want to reach two WAN networks (or one WAN=internet and one LAN in the building accross your firms courtyard with the financial stuff or via dedicated line in an other city-district) - hope you get the concept here

In this scenario we dedicate an entire NIC to be the portal to the specified network (WAN,LAN,DMZ whatever you call it) besides our standard WAN which would be connected to the internet in most scenarios.

I am not sure if this is for you it should help if you want deviate special TCP/IP protocolls to different NICs, direction of view: from your machine (also if reacting from outside requests) to outside destinations (WAN internet). In essence it combines the two solutions from above: 1:1 NAT rule with outbound NAT rule.

yes the box/board is not the latest and greatest but will probably work fine for me here as I don't have many users or much traffic. It's also low power and quiet :-)

In my main office I have a DL360G5 to play with..... noisy little beast and probably overkill for the job but will be perfectly adequate again.

I have a server that runs my mail, some simple web stuff plus local file storage. In the past I have set it on a DMZ for the external services, but in reality this is probably not the best thing to do for security.

I think the 1to1 mapping is probably what I am looking at as a direct replacement - all external inbound traffic forwarded to one IP address. However as I want the Opnsense box to run my VPNs I note that it says :

"If you add a 1:1 NAT entry for any of the interface IPs on this system, it will make this system inaccessible on that IP address. i.e. if you use your WAN IP address, any services on this system (IPsec, OpenVPN server, etc.) using the WAN IP address will no longer function. "

So in my case I may be better to use port forwarding for just the ports the server requires for external access.

Hi,if you like, please consider to make some pictures of your hardware setup and give some basic details, about how many users and such.. and upload it to our docu-wiki. I plan to have a hardware section showing users hardware solutions and setups.